(Aster)-picking through the pieces of short URL services An - - PowerPoint PPT Presentation

(Aster)-picking through the pieces of short URL services

An investigation into the maliciousness of short URLs

Robert Diepeveen & Peter Boers 2016

Motivation

• Obfuscation
• Brute force
• Uniform sample
• Contributions:

– Comparison between services – Observation of locality based adware network

Research questions:

• What portion of the short URL services are

used for malicious purposes and what does the abuse look like?

– Which service provides proportionally the most

short URLs flagged as malicious?

– What properties can be observed in encountered

malicious sites?

Which services are looked into?

• Previous work found the most popular services
• Alexa.com
• “Well known”

– TinyURL – bitly – goo.gl

• t.co, not investigated

How do you classify a site as malicious?

• Google Safe Browse

– Malware – Phishing – “Unwanted”

• DNSBL

– Domain blacklist – IP blacklist

• Other methods:

– PhishTank

What else is interesting to know about the URLs that are online?

• Short URLs

– Creation date – Clicks – Referrers

• Long URLs

– SSL info – Malicious classification – Server Headers (Last Modified, Server, Status Code) – Script links – Page Size

Uniform sampling

• Key space approximates and hash lengths:

– Bitly: 3.5 trillion, max 7 – TinyURL: 80 billion, max 7 – Goo.gl: 58 billion, max 6

• Random number generator to base conversion
• [0-9A-Za-z]
• Keyspace is not fully used

Setup

• 12 VMs
• 4 days of data gathering
• 96 threads per service

– Except goo.gl

• 4 short URLs inserted in MongoDB per second
• Average traffic:

– 8,52 Mbit/s out – 2,44 Mbit/s in

The numbers

• Approx 1.4 million short URLs encoutered

– TinyURL: 1,39 million visited. – Bitly: +/- 6 K visited. – Goo.gl: +/- 4K visited.

• Malware – undetected hits

– TinyURL: 946 – Bitly: 2 – Goo.gl: 0

The numbers (2)

Service Undetected Detected Total

Percentage

TinyURL 946 70,302 71,248 5.17% Bitly 2 1 3 +/- 0.05% Goo.gl 4 4 +/- 0.01% Totals 948 70,307 71,255

asterpix.com

Domain Count www.asterpix.com 495 video.asterpix.com 113 www.tagvn.com 75 www.filelodge.com 57 keyknowhow.com 23 hurl.content.loudeye.com 16 static.zangocash.com 14 www.perfectporridge.com 13 www.content.loudeye.com 5 Small counts (<= 4) 137

What is asterpix.com?

• Origins in 2006 as a video sharing site
• Short URLs are created during that period

– video.asterpix.com/v/<ID>/<Title>/ – www.asterpix.com/console/?avi=<ID>

• 2009: links and short URLs “die”
• 2015: malware registered

Taxonomy

• Encountered a dutch site during first visit.
• How does locality influence redirection?

– Asia – America – Europe

• Three phases

– Entry – Redirection – Hand off

The phases

• Entry

– Where is the visitor from? – Has he visited in the past?

• Redirection

– Typical JS redirection to obfuscate paths – All over the world and at least 4 hops – Depending on location of visitor

• Hand Off

– Catered to the visitor in language and offering

What was observed?

• One known entry point
• Two known non malicious landing pages
• Eight known malicious landing pages

– Surveys – “Free” money – Vouchers

• Overlapping redirect chains

– park.above.com – bidr.trellian.com – z[a-z].zeroredirect.com

Conclusion/Discussion

• Significant amount of malicious sites TinyURL
• Undetected rate more or less the same over the

services.

• Proportionally more malicious long URLs at

TinyURL in total.

• Sites change over time, short URLs remain

active

– Unable to see if this is actively abused

• Locality based redirection observed

– Block secondary/tertiary redirectors.

Future work

• The “repurposing” of short URLs and its abuse
• The effectiveness of blocking underlying

redirectors

• A further case study into locality based adware

networks to find commonalities

• Optimization of the search for bitly and goo.gl
• Look into smaller, lesser known providers.